What if this is an attempt to smoke out the TrueCrypt devs?
While this move seems odd, the new binaries are properly signed and the domains have been updated accordingly. If this was another project, like Rails, the maintainer could come out and say they were hacked and the last good version was X. Otherwise, the project would likely die off.
But since we know so little about the TrueCrypt maintainers, there's little way for us to hear that this isn't legitimate. In order to keep the project from dying (if this is a hoax), they would have to prove that they are the maintainers, because any plausible deniability would undermine their claim that the change was not legitimate.
Wouldn't they just have to published a signed message stating that the change was not theirs and the key is compromised? Or better yet, revoke the key?
If two groups with opposing messages control the key, it's pretty clear that the key is compromised in some manner.
While this move seems odd, the new binaries are properly signed and the domains have been updated accordingly. If this was another project, like Rails, the maintainer could come out and say they were hacked and the last good version was X. Otherwise, the project would likely die off.
But since we know so little about the TrueCrypt maintainers, there's little way for us to hear that this isn't legitimate. In order to keep the project from dying (if this is a hoax), they would have to prove that they are the maintainers, because any plausible deniability would undermine their claim that the change was not legitimate.